Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

9005436ea8...62.exe

windows7-x64

10

9005436ea8...62.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

  • Size

    742KB

  • Sample

    221126-kybhcsff34

  • MD5

    39c0e005cd2892a7b315081f9db6dc37

  • SHA1

    e9c2dda548ca0f53939d8bbf9228a92977964341

  • SHA256

    9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

  • SHA512

    e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e

  • SSDEEP

    12288:T2359uMww1bLO6ejFn8KL8XdChu/FiMZgi7hLEsOYt4ZmwjHCmac95RDOqruN2mE:S5p126wFn8KL8tz4MZHVLJtimSimHROY

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-fpcelmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://fizxfsi3cad3kn7v.onion.cab or http://fizxfsi3cad3kn7v.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://fizxfsi3cad3kn7v.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. EJ23DKV-3ULGU5C-DZKZNYN-FMGPYLO-5BBNB3V-3F6GKAV-LOV7G37-WEGG74F VBH25TC-AHM5SXN-JSBJO64-NF56BJF-WHOYQDY-EODMLAC-ZNDKZYW-6LL5AAX SI4XGSP-NXCK3IW-I6LRE3U-JNXHAZD-HHIABSD-PKBKCIJ-G46CUBK-54EVLBP Follow the instructions on the server.
URLs

http://fizxfsi3cad3kn7v.onion.cab

http://fizxfsi3cad3kn7v.tor2web.org

http://fizxfsi3cad3kn7v.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-fpcelmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://fizxfsi3cad3kn7v.onion.cab or http://fizxfsi3cad3kn7v.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://fizxfsi3cad3kn7v.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. EJ23DKV-3ULGU5C-DZKZNYN-FMGPYLO-5BBNB3V-3F6GKAV-LOV7G37-WEGG74F VBH25TC-AHM5SXN-JSBJO64-NF56BJF-WHOYQDY-EODMLAC-ZNDKZYW-6LL5AAX SI4XGSP-NXCK3IW-I6LRE3U-JNXHAZD-HHIATDD-DSBKCIJ-G46CUBK-54EFHIQ Follow the instructions on the server.
URLs

http://fizxfsi3cad3kn7v.onion.cab

http://fizxfsi3cad3kn7v.tor2web.org

http://fizxfsi3cad3kn7v.onion/

Targets

    • Target

      9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

    • Size

      742KB

    • MD5

      39c0e005cd2892a7b315081f9db6dc37

    • SHA1

      e9c2dda548ca0f53939d8bbf9228a92977964341

    • SHA256

      9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

    • SHA512

      e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e

    • SSDEEP

      12288:T2359uMww1bLO6ejFn8KL8XdChu/FiMZgi7hLEsOYt4ZmwjHCmac95RDOqruN2mE:S5p126wFn8KL8tz4MZHVLJtimSimHROY

    Score
    10/10
    ctblockerransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks